Advertisement

AWStats

Flexible but Insecure

Almost every web author wants to learn every detail about his site and
its visitors. Other people typically interested in web analytics are
web hosters both as a service for customers and an early-warning
system in case of trouble. A graphical log file analyzer like AWStats
transforms the rather dull log file content into a more comprehensible
representation.

AWStats aims to satisfy both user groups. The Perl script can be run
from the command line to produce static HTML pages or run as a CGI
application. Although AWStats can also manage log files for mail, FTP
and other servers, it is most suitable for web servers.

Configuration is done via a config file in which the location of the
log file and the domain name(s) have to be specified. AWStats has no
problems with multiple virtual hosts even when their traffic is logged
to the same file. Typically, the statistics are updated by a cronjob,
however triggering updates via the web interface can also be enabled.

Monthly summary(click to enlarge)

AWStats presents its data grouped by months. Visitors, number of
visits, pages, hits and bandwidth are shown for the days of the month,
the days of week and the hours. Average and totals are available as
well. Bar charts give a direct visual impression of the data.

In the next tables, the visitors' IP addresses (optionally grouped by
country using
geolocation),
operating systems and browsers are given. The probably most important
statistics, the most popular URLs and referrers is also found there,
followed by the most frequent search queries and keywords. In the main
window, only the first few places are shown, but the complete data is
available, too. Based on the time between a visitor's first and last
document access AWStats tries to calculate an average visit duration.

While the amount of different statistics is quite impressive, the
filtering options are not very helpful. The only available time spans
are a month or a year, so asking how many people have downloaded PDF
files from a certain directory during the last week is impossible.

You can add additional statistics by defining extensions in the config
file. Using regular expressions you can filter URLs, referrers,
virtual hosts and other parameters. For example, this allows you to
track product orders in an online shop.

AWStats received attention last year when the Lupper
worm
used an AWStats vulnerability to infect web servers around the net. To
see how the developers reacted, OS Reviews took a quick look at the
code. As a result, the following new vulnerabilities have been
discovered:

If the update of the stats via web front-end is allowed, a
remote attacker can execute arbitrary code on the server using a
specially crafted request involving the migrate
parameter. Input starting with a pipe character ("|") leads to
an insecure call to Perl's open function and the rest of the
input being executed in a shell. The code is run in the context of
the process running the AWStats CGI.

Arbitrary code can be executed by uploading a specially
crafted configuration file if an attacker can put a file on the
server with chosen file name and content (e.g. by using an FTP
account on a shared hosting server). In this configuration file,
the LogFile directive can be used to execute shell code
following a pipe character. As above, an open call on
unsanitized input is the source of this vulnerability.

Furthermore, the cross-site scripting vulnerability described
in
CVE-2006-1945
also exists with the diricons parameter and possibly others
as well.

Particularly notable about these holes is that they are very similar
to previously discovered ones. The problems with calls to the open function were already known before. Additionally, the
developers claim that only one
vulnerability
has been found in the history of AWStats, which is simply not
true.

To be honest, not everything is bad about AWStats. However, unless its
security record improves, AWStats should only be used to generate
static content or on a private web server.